From fc84692df03d4a09fe71e3a885ac6f0d0c881ac7ba1b7dd95cd04805bfc8fa6e Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Mon, 22 Feb 2021 15:21:06 +0000 Subject: [PATCH] Accepting request 873726 from security:tls:unstable - Update to 3.0.0 Alpha 12 * The SRP APIs have been deprecated. The old APIs do not work via providers, and there is no EVP interface to them. Unfortunately there is no replacement for these APIs at this time. * Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time. * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups through providers. * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() functions. They are identical to BN_rand() and BN_rand_range() respectively. * The default key generation method for the regular 2-prime RSA keys was changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes). This method is slower than the original method. * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. They are replaced with the BN_check_prime() function that avoids possible misuse and always uses at least 64 rounds of the Miller-Rabin primality test. * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions. - Update to 3.0.0 Alpha 11 * Deprecated the obsolete X9.31 RSA key generation related OBS-URL: https://build.opensuse.org/request/show/873726 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=23 --- openssl-3.0.0-alpha12.tar.gz | 3 + openssl-3.0.0-alpha12.tar.gz.asc | 11 ++++ openssl-3.0.0-alpha9.tar.gz | 3 - openssl-3.0.0-alpha9.tar.gz.asc | 11 ---- openssl-3.changes | 99 ++++++++++++++++++++++++++++++++ openssl-3.spec | 2 +- 6 files changed, 114 insertions(+), 15 deletions(-) create mode 100644 openssl-3.0.0-alpha12.tar.gz create mode 100644 openssl-3.0.0-alpha12.tar.gz.asc delete mode 100644 openssl-3.0.0-alpha9.tar.gz delete mode 100644 openssl-3.0.0-alpha9.tar.gz.asc diff --git a/openssl-3.0.0-alpha12.tar.gz b/openssl-3.0.0-alpha12.tar.gz new file mode 100644 index 0000000..1226da4 --- /dev/null +++ b/openssl-3.0.0-alpha12.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c +size 14142492 diff --git a/openssl-3.0.0-alpha12.tar.gz.asc b/openssl-3.0.0-alpha12.tar.gz.asc new file mode 100644 index 0000000..77192db --- /dev/null +++ b/openssl-3.0.0-alpha12.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwsACgkQ2cTSbQ5g +RJE4Wgf6A+BC1k0BFDx27kWfKX0gT2BrD4CjFqRFVXaYVp5GzV2+Z4t4i1YxO94P +VsZffgiepSkh9I4a1pnzrv8AQtljkNLInmfWjONL7wBmo7eIu5uevXojUR78xSTA +gF9TNs3w40krdUlhut7KUQ6BYaqLL1QEBMWRgnMlgtDGB0MIy6u6CMj+Fhhzy7Fx +PXhb4D74ZSVKNwalWIu3C0NtsNmfNs//o//gYq2k1bkoJlw+pjEHs6SQR0AD9Q+i +Cu4UIyhke/sURHonykkBRbyemJFzjWt6QUpNfb8f5AJAUFxm6S1FwT+e3iyolOGv +kjmGBO7H48PAsVnCgg03O9kk1KJurA== +=Kxt4 +-----END PGP SIGNATURE----- diff --git a/openssl-3.0.0-alpha9.tar.gz b/openssl-3.0.0-alpha9.tar.gz deleted file mode 100644 index c05375b..0000000 --- a/openssl-3.0.0-alpha9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5762545c972d5e48783c751d3188ac19f6f9154ee4899433ba15f01c56b3eee6 -size 14058484 diff --git a/openssl-3.0.0-alpha9.tar.gz.asc b/openssl-3.0.0-alpha9.tar.gz.asc deleted file mode 100644 index 23b7395..0000000 --- a/openssl-3.0.0-alpha9.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+/wWAACgkQ2cTSbQ5g -RJFDvwgAuocCys3M1rapCg2mwusx+Pl64TBgWVEJ3HwINnNu7DYMmvYSkN3YW94K -6YI7YH1god1/HhWqVxfAatDfctDfNz+k04m+L2v01d13OiHSajTx+J+2QSOltclD -V/Cswo/abj79YCz24d9785Py++PTkv/bd4wHvQD2i6OkCtK18Z1GNP90gjZ+Nf4a -1FLCA9W5CiN0yq3SodH6qe61XascIevYABu2o0LhU/tX9morrFsv0bazl3fZIiBL -DmkNbDn765WFAkhUKRrTRsCs9jJNwEQUYWtuA4Orjni3BDTaNTo6ij0ZjkBUxHfk -G5gbrIX+CGBPjSe+ROTa4E50SlGFSg== -=JUas ------END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 7c3a7fe..fdb376e 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,102 @@ +------------------------------------------------------------------- +Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 12 + * The SRP APIs have been deprecated. The old APIs do not work via + providers, and there is no EVP interface to them. Unfortunately + there is no replacement for these APIs at this time. + * Add a compile time option to prevent the caching of provider + fetched algorithms. This is enabled by including the + no-cached-fetch option at configuration time. + * Combining the Configure options no-ec and no-dh no longer + disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms + then it cannot support connections with TLSv1.3. However OpenSSL + now supports "pluggable" groups through providers. + * The undocumented function X509_certificate_type() has been + deprecated; applications can use X509_get0_pubkey() and + X509_get0_signature() to get the same information. + * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() + functions. They are identical to BN_rand() and BN_rand_range() + respectively. + * The default key generation method for the regular 2-prime RSA keys + was changed to the FIPS 186-4 B.3.6 method (Generation of Probable + Primes with Conditions Based on Auxiliary Probable Primes). This + method is slower than the original method. + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() + functions. They are replaced with the BN_check_prime() function + that avoids possible misuse and always uses at least 64 rounds of + the Miller-Rabin primality test. + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + as they are not useful with non-deprecated functions. + +------------------------------------------------------------------- +Fri Feb 12 11:47:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 11 + * Deprecated the obsolete X9.31 RSA key generation related + functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), + and BN_X931_generate_prime_ex(). + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*(). + These were used to collect all necessary data to form a HTTP + request, and to perform the HTTP transfer with that request. + With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the + deprecated functions are replaced with OSSL_HTTP_REQ_CTX_*(). + * Validation of SM2 keys has been separated from the validation of + regular EC keys, allowing to improve the SM2 validation process + to reject loaded private keys that are not conforming to the SM2 + ISO standard. In particular, a private scalar 'k' outside the + range '1 <= k < n-1' is now correctly rejected. + * Behavior of the 'pkey' app is changed, when using the '-check' + or '-pubcheck' switches: a validation failure triggers an early + exit, returning a failure exit status to the parent process. + * Changed behavior of SSL_CTX_set_ciphersuites() and + SSL_set_ciphersuites() to ignore unknown ciphers. + * All of the low level EC_KEY functions have been deprecated. + * Functions that read and write EC_KEY objects and that assign or + obtain EC_KEY objects from an EVP_PKEY are also deprecated. + * Added the '-copy_extensions' option to the 'x509' command for use + with '-req' and '-x509toreq'. When given with the 'copy' or + 'copyall' argument, all extensions in the request are copied to + the certificate or vice versa. + * Added the '-copy_extensions' option to the 'req' command for use + with '-x509'. When given with the 'copy' or 'copyall' argument, + all extensions in the certification request are copied to the + certificate. + * The 'x509', 'req', and 'ca' commands now make sure that X.509v3 + certificates they generate are by default RFC 5280 compliant in + the following sense: There is a subjectKeyIdentifier extension + with a hash value of the public key and for not self-signed certs + there is an authorityKeyIdentifier extension with a keyIdentifier + field or issuer information identifying the signing key. This is + done unless some configuration overrides the new default behavior, + such as 'subjectKeyIdentifier = none' and 'authorityKeyIdentifier + = none'. + +------------------------------------------------------------------- +Sat Jan 9 10:05:06 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 10 (CVE-2020-1971) + * See full changelog: www.openssl.org/news/changelog.html + * Fixed NULL pointer deref in the GENERAL_NAME_cmp function + This function could crash if both GENERAL_NAMEs contain an + EDIPARTYNAME. If an attacker can control both items being + compared then this could lead to a possible denial of service + attack. OpenSSL itself uses the GENERAL_NAME_cmp function for + two purposes: + 1) Comparing CRL distribution point names between an available + CRL and a CRL distribution point embedded in an X509 certificate + 2) When verifying that a timestamp response token signer matches + the timestamp authority name (exposed via the API functions + TS_RESP_verify_response and TS_RESP_verify_token) + * The -cipher-commands and -digest-commands options of the + command line utility list has been deprecated. Instead use + the -cipher-algorithms and -digest-algorithms options. + * Additionally functions that read and write DH objects such as + d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams + and other similar functions have also been deprecated. + Applications should instead use the OSSL_DECODER and OSSL_ENCODER + APIs to read and write DH files. + ------------------------------------------------------------------- Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index c03b4c9..bbf8575 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,7 +20,7 @@ %define sover 3 %define _rname openssl %define vernum 3.0.0 -%define relnum alpha9 +%define relnum alpha12 %define dash_version %{vernum}-%{relnum} Name: openssl-3 # Don't forget to update the version in the "openssl" package!